HARTFORD — The backpack containing a notepad with names, birth dates and Social Security numbers of Access Health CT customers was left Thursday outside a downtown deli and found by a man who turned it into his legislator's office Friday morning, authorities said Monday as new details continued to emerge about the case.

The backpack contained information on more than 400 customers of Access Health CT, the state health exchange created by the federal Affordable Care Act.

An employee of Maximus, the exchange's call-center vendor, left work Thursday and went to New York Deli & More at 240 Trumbull St., where he apparently left the backpack outside, officials with both Maximus and Access Health CT said at a press conference Monday.

Inside the backpack was a notepad with the names of 413 people, Social Security numbers for 151 of those people, and an undisclosed number of birth dates, Access Health CT marketing chief Jason Madrak said Monday.

The Maximus employee left the deli about 4:30 p.m. Thursday, said Ilene Baylinson, president of the eastern region for Maximus. The employee got a ride home from a friend.

Before the deli closed at 7 p.m., a man brought the backpack into the deli and asked if workers would hold onto it, Alex Aldali, who works at the deli, said Monday. The owner of the deli wanted nothing to do with the backpack, Aldali said, so the man who brought it into the store left with it.

On Friday morning, House Republicans got a call from a man who wanted to turn in the backpack, said Pat O'Neil, a spokesman for House Republicans. The call was relayed from the switchboard to the office of Rep. Jay Case, R-Winchester, because the caller lives in Case's district. Case was not there, however.

A worker at Case's office took the call and received the backpack that morning, O'Neil said.

"At that point, we contacted Kevin Counihan directly, and he said, 'Oh, OK,' " O'Neil said, referring to the CEO of Access Health CT. An employee at Access Health CT went to the Legislative Office Building to retrieve the backpack and the information.

Friday afternoon, Access Health CT sent out an advisory about a possible security breach.

A representative at Maximus said Monday that it is reinforcing its policies in the aftermath of the security breach.

"The bottom line is that one of our team members made a mistake," Baylinson said. "He violated our corporate policies and procedures for handling personal data. Removing any personal data from our offices and facilities is strictly prohibited and this individual is now on administrative leave."

Baylinson added that the administrative leave will last until the police investigation is complete. The Maximus employee is "deeply sorry and has been fully cooperative with the investigation, and based upon what we know today, we have no reason to believe that any of this information was used for fraudulent purposes."

Maximus' standard procedure for hiring people includes a criminal background check, Baylinson said.

"This individual is extremely remorseful and very upset about the situation. He is one of our better employees," Baylinson said.

The Maximus employee tried to find the backpack by calling the person who drove him home Thursday and by looking for it at the Access Health CT office where he works on Friday morning, Baylinson said. He worked for a short time Friday morning, and came forward after hearing about the backpack on the news.

City police said fraud detectives were investigating the security breach.

Attorney General George Jepsen's office is alsolooking into the breach.

"The attorney general takes matters of privacy and data security seriously," Jepsen spokesman Robert S. Blanchard said in a statement. "Consistent with our practice in past breaches by other custodians of personal information, we reached out on Friday to Access Health CT regarding the incident and its plans to protect those potentially affected. We expect those discussions to continue as we seek to ensure that Connecticut residents' privacy and personal information is protected. In particular, the office is seeking to determine how this incident occurred, what security procedures and policies were in place before the incident, and what is being done to reduce the risk of future breaches occurring."

House Republican leader Larry Cafero on Monday released a statement questioning security protocols at the exchange.

"This disturbing development highlights the concerns we raised three months ago during a hearing that we were afraid something like this might happen,'' Cafero said. "We were told by Access Health CT overseers that our proposals for background checks and other safeguards were not needed, that the security situation was in hand. Clearly, that was not the case.''

The House Republicans said proposed legislation included sweeping background checks of workers in the intake office that processes applications.

Also, Cafero questioned why any workers found it necessary to enter the information into a notebook.

"It strikes me as odd that someone felt compelled to compile the data into a notebook and take it from the intake offices,'' Cafero said

Baylinson, of Maximus, said Monday that going forward employees would have to make any notes on dry erase boards instead of note pads.

This latest incident is the most recent of a number of information breaches in the past five years involving personal information with some connection to health care services.

In June 2010, an online security breach put at risk the personal, financial and medical information of 470,000 WellPoint customers nationwide, including 5,600 in Connecticut. That breach affected only those who used the company's web portal to apply for individual-market health insurance through WellPoint subsidiaries, mostly Anthem Blue Cross or Anthem Blue Cross and Blue Shield, in 10 states.

In 2009, a hard drive with seven years of personal and medical information of about 1.5 million Health Net customers, including 446,000 in Connecticut, was lost or stolen. Health Net paid $250,000 in damages to Connecticut as part of a settlement resulting from the security breach.

The Knights of Columbus has created a new class of mutual funds that will invest based on Catholic values and will be marketed to faith-based institutions such as orders of nuns, dioceses or Catholic universities.

The nation's largest health insurer, UnitedHealth, will muscle up for its fight against rising prescription drug costs by spending more than $12 billion to buy pharmacy benefits manager Catamaran Corp.

Years after a lengthy strike that caused HealthBridge Management to lose more than $15 million, the New Jersey-based company is selling all of its unionized homes in Connecticut and two other nursing homes it owns in the state.

The Bilco Co., maker of specialty access products for the building industry, is moving its headquarters from West Haven to New Haven, the city where the company began in 1926, Bilco announced this week.